Remote code injection exploits inflict a significant societal cost, and an active underground economy has grown up around these continually evolving attacks. We present a methodology for inferring the phylogeny, or evolutionary tree, of such exploits. We have applied this methodology to traffic captured at several vantage points, and we demonstrate that our methodology is robust to the observed polymorphism. Our techniques revealed non-trivial code sharing among different exploit families, and the resulting phylogenies accurately captured the subtle variations among exploits within each family. Thus, we believe our methodology and results are a helpful step to better understanding the evolution of remote code injection exploits on the Internet. Categories and Subject Descriptors C.2.0 [Computer-Communication Networks]: General—Security and protection; D.4.6 [Operating Systems]: Security and Protection—Invasive software General Terms Algorithms, Measurement, Security Keywords wo...
Justin Ma, John Dunagan, Helen J. Wang, Stefan Sav